We are writing to you about the Initial Report on the Privacy & Proxy Services published on May 5th, which proposes requiring “commercial website” owners to display their address under their WHOIS data. Broadly defined, this prevents millions of site owners from safeguarding their private information. We strongly oppose the Working Group’s proposal, which will physically endanger many domain owners and disproportionately impact those who come from marginalized communities. People perceived to be women, nonwhite, or LGBTQ are often targeted for harassment, and such harassment inflicts significant harm [1]. The endemic nature of inequity online is a matter of deep concern for all of us, as we are working to make the Internet a safe and accessible place for all voices.

The proposal in front of ICANN would radically undermine progress in that direction, in part by making it far easier to dox domain owners. “Doxing” is the malicious practice of obtaining someone’s personal information (e.g. home address, phone number, etc) and making that information more readily and widely available. Doxing makes possible a wide range of crowdsourced harassment and intimidation, which includes everything from unwanted pizza deliveries to unrelenting barrages of rape- and death threats. Doxing also enables “swatting,” or calling in false tips that send a fully armed SWAT team crashing through a targeted person’s door. Public online directories give doxers, swatters, and stalkers alike easy access to their targets’ personal information.

Our concern about doxing is not hypothetical. Randi Harper, a technologist, anti-harassment activist, and founder of the Online Abuse Prevention Initiative, was swatted based on information obtained from the WHOIS record for her domain. The only reason law enforcement did not draw their weapons and break down Harper’s door was that she had previously warned her local police department about swatting.

Even the most limited definition of a “website handling online financial transactions for commercial purpose” will encompass a wide population that could be severely harmed by doxing, such as:

women indie game developers who sell products through their own online stores

freelance journalists and authors who market their work online

small business owners who run stores or businesses from their homes

activists who take donations to fund their work, especially those living under totalitarian regimes

people who share personal stories online to crowdfund medical procedures

To make things worse, the proposed definition of what constitutes “commercial purpose” could be expanded to include other types of activity such as running ads or posting affiliate links.

If implemented, the current proposal will chill speech—especially speech from people who lack access to lavish legal resources. It will be a generous gift both to harassers and to oppressive regimes. It will curb economic activity by adding untenable risk to using a website to promote one’s business or to collect donations, and may even add this risk to hosting ads. Women, people of color, and members of other marginalized communities, who are the most frequent targets of doxing, will be forced to take costly, speech-restrictive steps in order to protect themselves.

The WHOIS system is, in the words of ICANN’s own Expert Working Group on gTLD Directory Services, “widely regarded as ‘broken,’” [2] but the proposed change will make WHOIS even worse. The proposal leaves domain owners with three options:

accept the risk of having their home address available to all

pay for a P.O. box—although that option is not available in every region or country

falsify their address information

Falsified information, however, puts domain owners at risk of having their domains terminated for breaching their registrars’ terms of service. Because the remaining options are either “public” or “pay,” domain owners who are targets or potential targets of harassment have a safety tax levied upon them. While some registrars currently charge a fee to withhold personal information from WHOIS, the current proposal will make an already-undue burden even more burdensome.

Although the working group stakeholders’ concerns about being able to verify consumer transactions and find information about businesses are valid, we did not find any evidence that Internet users are having difficulty getting information about businesses because of privacy and proxy services. Further, law enforcement agencies and copyright-holders are already able to access this information through existing legal processes. The unclear merits of this proposal cannot outweigh the inevitable harm that will follow from making millions of website owners’ personal information public. Even an ICANN working group recognized (in 2013) that in cases “where identification of speakers would cause a threat to their lives or those of their families,” individuals should be entitled to heightened privacy protection.

We strongly recommend that the proposed policy not be adopted. We further recommend that ICANN revisit its own findings from 2013 and move toward making WHOIS privacy the default for everyone. We believe that ICANN should not be complicit in making doxing, stalking, & swatting any easier than they already are. While ICANN certainly did not set out to exacerbate online harassment, that will ultimately be the result of this policy.